148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet
A campaign of 148 npm packages disguised as student web proxies created a DDoS botnet by hijacking visitors' browsers rather than compromising developer machines. The malware utilized two distinct modules: a remote script loader (G2) to execute HTTP floods against educational institutions, and a WebSocket flood generator (I2) to overwhelm proxy server infrastructure via control-plane exhaustion. Unlike typical supply chain attacks that trigger during installation, this threat remained dormant un
Analysis
TL;DR
- A campaign of 148 npm packages disguised as student web proxies created a DDoS botnet by hijacking visitors' browsers rather than compromising developer machines.
- The malware utilized two distinct modules: a remote script loader (G2) to execute HTTP floods against educational institutions, and a WebSocket flood generator (I2) to overwhelm proxy server infrastructure via control-plane exhaustion.
- Unlike typical supply chain attacks that trigger during installation, this threat remained dormant until the user visited the proxy website, leveraging the npm registry merely as a distribution vector for web-based exploitation.
- The attack exploited vulnerabilities in the deprecated
wisp-server-nodelibrary, causing rapid allocation and teardown of connections that exhausted file descriptors and flooded logs on targeted servers. - Infrastructure analysis revealed a loosely organized operator cluster using a single IP address and juvenile naming conventions, highlighting significant gaps in npm’s rate-limiting and content moderation for newly published packages.
Why It Matters
This incident demonstrates a sophisticated evolution in supply chain attacks, shifting the target from developers to end-users by repurposing the package registry as a hosting platform for malicious web applications. It highlights critical security risks in the JavaScript ecosystem, particularly regarding the lack of runtime checks for client-side code executed via npm-distributed websites. For security practitioners, it underscores the necessity of monitoring not just for malicious code in dependencies, but for the misuse of registries to distribute web-based exploits that leverage browser capabilities for large-scale DDoS operations.
Technical Details
- Distribution Mechanism: 148 npm packages (e.g.,
charlie-kirk,ilovefemboys) were published with no lifecycle hooks or native build scripts, functioning solely as landing pages for a proxy app branded "Lucide." - Module G2 (HTTP Flood): A remote script loader fetched JavaScript from a mutable GitHub repository via jsDelivr CDN without Subresource Integrity (SRI) checks. It executed a crude HTTP flood, sending one-megabyte POST requests every 500ms to targets like
cdn.caan.edu, generating approximately 2 MB/s of upload traffic per visitor. - Module I2 (WebSocket Control-Plane Attack): This module connected to a Wisp endpoint (
lunaron.top) and opened up to 1,024 WebSocket connections per browser tab. It sent valid Wisp CONNECT and CLOSE frames targetinglocalhost:1on the remote server, forcing the server to allocate and tear down thousands of connections rapidly. - Exploitation of Legacy Libraries: The attack specifically targeted the deprecated
wisp-server-nodelibrary, which failed to validate destination addresses or limit connection rates, leading to file descriptor exhaustion and log flooding on the proxy servers. - Infrastructure: The campaign was hosted on a single IP address (92.38.177.17) via G-Core Labs, with deployment accounts registered seconds apart, indicating a coordinated but technically immature operation.
Industry Insight
- Registry Security Reevaluation: Organizations must recognize that npm packages can serve as vectors for web-based attacks even if they contain no malicious code at install time. Security tools should analyze the runtime behavior of hosted content, not just the static code in the package.
- Client-Side Supply Chain Risks: The use of mutable CDNs (like jsDelivr pointing to main branches) without integrity checks allows attackers to update payloads dynamically. Developers and users should enforce strict Content Security Policies (CSP) and verify SRI hashes for all external scripts.
- Deprecation and Maintenance Hygiene: The success of this attack relied on the continued use of deprecated libraries like
wisp-server-node. Maintainers of widely used protocols and libraries must prioritize security patches and deprecation notices, while users should migrate away from known vulnerable implementations immediately.
Disclaimer: The above content is generated by AI and is for reference only.